Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
2
Replies

ISE Plus License usage

GRANT3779
Spotlight
Spotlight

‎09-19-2017 02:47 AM - edited ‎02-21-2020 10:34 AM

When exactly does a Plus License get used?

 

 

I have profiled Cisco Phones that Authenticate via MAB and then pass the following authorisation policy -

"If Device is in Endpoint Identity Group / Profiled / Cisco IP Phones then allow access to voice domain"

 

The phone authorises fine but I do not see a Plus license being used.

 

I would have thought because the auth policy is checking a group which contains profiled devices a plus license would be used upon access to the network.

 

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎09-20-2017 05:21 PM

Good question - the exact mechanics of how licenses are consumed is not well explained by Cisco.  The closest answer I have read is exacly what you mentioned.  However - your AuthZ policy is not referring to a profiling attribute.  You are simply checking whether a device is in an Endpoint Group.  That comes for "free" with the base license, because Endpoint Identity Groups are used for multiple purposes.

I don't have a concrete example, because I don't have PLUS (or EVAL) licenses, but if you were to start doing fancy AuthZ policies that involve conditions about the stuff you found as a result of profiling, then I would assume you'd consume a PLUS license. 

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Arne Bier

‎09-26-2017 12:39 PM

Hi Arne,

 

Yes I guess that makes sense. I may test a few different auth profiles to see if I can find some consistency as to when a plus license is used.

Thanks

0 Helpful
Customers Also Viewed These Support Documents